NETWORK INTELLIGENCE SECURITY ADVISORYThe major security news items of the month - major threats and security patch advisory. The advisory also includes IOCs and remedia�on steps.

DigestAugust 2019, Edi�on 1.0

IN THIS EDITION:

Security Advisory Listing Severity

To know more about our services reach us at info@niiconsul�ng.com or visit www.niiconsul�ng.com

LooCipher, a brand-new Ransomware is being distributed in the wild through a spam email campaign

A new ransomware called eCh0raix, written in Go language found targeting Network Attached Storage (NAS) devices from vendors such as Synology, Lenovo Iomega (or LenovoEMC), and QNAP

Security Patch Advisory

Critical

Critical

Multiple spear-phishing campaigns from Sweed Threat Actor found targeting Government & Defense Organizations, as well as Banking & Financial Institutions on a global scale

ALSO INSIDE

Critical

Critical

Critical

Sodinokibi Ransomware is widely distributed via compromised web application server and spam email campaigns a on global scale

Capital One Financial Corporation suffered a massive data breach incident caused due to misconfigured ModSecurity Web Application Firewall (WAF)

LooCipher, a brand-new Ransomware is being distributed in the wild through a spam email campaign

IMPACT

LooCipher, a brand-new Ransomware is being This poses a serious risk of unauthorized access, data loss, financial loss, and can cause disruption in business operations in the wild through a spam email campaign.

SECURITY ADVISORY

READ

Date: July 10, 2019

INTRODUCTION

LooCipher, a brand-new Ransomware is being distributed in the wild through a spam email campaign. It uses high-level Windows API librariessuch as Crypto++ for its encryption routine, which makes it difficult for Malware Analysis Sandboxes to reverse engineer the LooCipher Ransomware's binary code.

LooCipher Ransomware uses several encryption algorithms such as DES (Data Encryption Standard), AES (Advanced Encryption Standard), and ECC/ECDSA (Elliptic Curve Cryptography or Elliptic Curve Digital Signature Algorithm), for encrypting files on victim's computers. What encryptionalgorithm to prefer, is decided based on system information collected from the victim's computer. LooCipher Ransomware starts its encryption routine by generating a 16bytedata block with random characters chosen from a hard-coded string within the LooCipher Ransomware's code, by considering the current system time as the seed. The generated data block is then shuffled to create a 16-byte encryption key that LooCipher Ransomware uses to encrypt files on avictim's computer. The cryptographic algorithm used for creating a 16-byte encryption key would differ from system to system depending on what Windows version and system architecture being used on victim's computer.

LooCipher Ransomware excludes Windows System Directories such as "C:\Program Files", "C:\Program Files (x86)" and "C:\Windows", from its file encryption routine, to avoid any interruption during the file encryption process. LooCipher Ransomware encrypts all types of files, not limited toDatabase files, Web Application or Server files, Backup files, Virtual Disc files, and Virtual Machine files. Encrypted files are appended with .lcphr extension, and System Volume Shadow copies are immediately deleted to prevent the victim from restoring their Windows computer to the previousstate

• LooCipher: Can Encrypted Files Be Recovered From Hell?• LooCipher: The New Infernal Ransomware

EARLY WARNING

VULNERABILITYMicrosoft Windows Workstation and Server products are vulnerable to this attack

Severity: Critical

LooCipher Ransomware is more likely to adopt zero-day exploits for Microsoft vulnerabilities CVE-2019-1132, CVE-2019-0887, CVE-20191126, CVE-2019-1136, and CVE-2019-1037, in coming weeks. We strongly recommend our customers to immediately deploy security patches for the above-listed vulnerabilities.

Multiple spear-phishing campaigns from Sweed Threat Actor found targeting Government & Defense Organizations, as well as Banking & Financial Institutions on a global scale

IMPACTThis poses a serious risk of unauthorized access, data breach, financial loss, and can impact the reputation of an organization

SECURITY ADVISORY

READ

Date: July 16, 2019

INTRODUCTION

Multiple spear-phishing campaigns from Sweed Threat Actor found targeting Government & Defense Organizations, as well as Banking &Financial Institutions on a global scale. The attack involves the use of malicious macro-enabled Excel spreadsheet, obfuscated PowerShell Scripts, AutoIT-compiled scripts, and Agent Tesla Malware.

The attack is initiated via a spear-phishing email containing a macro-enabled Excel Spreadsheet (.xls), which is sent to the target victim as an email attachment. Once the victim opens this Excel Spreadsheet, the malicious macro will execute and initiate C2 request to download anobfuscated PowerShell script from the attacker's C&C server. Once PowerShell script is downloaded, the macro will trigger Windows Management Instrumentation (WMI) instance to execute PowerShell script on the victim's computer. This PowerShell script will execute a series ofcommands to check Public IP and other network related information on victim's computer, and then proceeds to download AutoIT-compiled scripts from attacker's C&C server.

The AutoIT-compiled scripts are executed via Windows Management Instrumentation (WMI) instance, which deploys Agent Tesla malware onto the victim's computer. Once deployed, the Agent Tesla Malware will run as a legitimate Windows process to communicate to the attacker's C&C server.The Agent Tesla Malware uses SMTP port 587 for outbound C2 communication with C&C server and for data exfiltration. The Agent Tesla Malware also found using TCP Port 26 and 6388 for outbound C2 communication and data exfiltration.

SWEED: Exposing years of Agent Tesla campaigns

VULNERABILITY

Microsoft Windows Workstation and Server Platforms are vulnerable to this attack

Severity: Critical

TARGETED CVE IDs

• CVE-2019-1132• CVE-2019-0887 • CVE-2019-1130• CVE-2019-1129• CVE-2019-1037• CVE-2019-1067• CVE-2019-1113

Sodinokibi Ransomware is widely distributed via compromised web application server and spam email campaigns a on global scale

IMPACTThis poses a serious risk of unauthorized access, data loss, financial loss, and can disrupt business operations.

SECURITY ADVISORY

READ

Date: July 24, 2019

INTRODUCTION

Sodinokibi ransomware is widely distributed via compromised web application server and spam email campaign on a global scale. The attackinvolves exploitation of Oracle WebLogic vulnerabilities CVE2019-2725 & CVE-2019-2729 to compromise web server, and exploitation of Microsoft Windows vulnerability CVE-2018-8453, to run Sodinokibi ransomware with SYSTEM privilege & tamper with Windows Boot Configuration. This attack is initially delivered via either malicious macro-enabled Word document or malicious website link received through spam email. Once opened or accessed, it will download Malware loader which will furtherdownload Sodinokibi ransomware as a final payload. Sodinokibi ransomware will trigger VSSAdmin commands through elevated Command Prompt instance, to delete shadow copies (system restore points) on Windows system, and then trigger BCDEdit commands to disable WindowsStart-up recovery option and set BootStatusPolicy to ignore all Windows start-up failure messages. Sodinokibi ransomware is a severe threat to data stored on Windows-based system, as it runs with SYSTEM privilege via exploitation of Microsoft Windows vulnerability CVE-2018-8453.

Sodinokibi ransomware attacks with CVE-2018-8453

Severity: Critical

AFFECTED PRODUCTS

• Microsoft Windows Workstation and Server products.• Oracle WebLogic Server, versions 10.3.6.0, 12.1.3.0, and 12.2.1.3.0.

TARGETED CVE IDs

• CVE-2019-1132• CVE-2019-0887• CVE-2019-1014• CVE-2019-1017• CVE-2019-0708• CVE-2019-0892• CVE-2019-0803• CVE-2019-0859• CVE-2019-0808• CVE-2019-0797• CVE-2019-0633• CVE-2019-0630• CVE-2018-8453• CVE-2019-2725• CVE-2019-2729

A new ransomware called eCh0raix, written in Go language found targeting Network Attached Storage (NAS) devices from vendors such as Synology, Lenovo Iomega (or LenovoEMC), and QNAP

IMPACTThis poses a serious risk of unauthorized access, data loss, financial loss, and can cause disruption in business operation.

SECURITY ADVISORY

Date: August 2, 2019

INTRODUCTION

A new ransomware called eCh0raix, written in Go language found targeting Network Attached Storage (NAS) devices from vendors such as Synology, Lenovo Iomega (or LenovoEMC), and QNAP to infect and encrypt data of an organization. The eCh0raix ransomware targets NAS devices by taking advantage of weak credentials and exploiting known vulnerabilities. It uses SOCKS5 proxy to communicate with the C2 server hosted on TOR network. It downloads the ransom note, an RSA public key used to encrypt the encryption key employs for encrypting victim's files and provides real-time insight on the malware's activity to the attacker. When executed on the NAS, it will perform language checks to see if the device is from certain CIS countries (Azerbaijan, Belarus, Kazakhstan, Kyrgyzstan, Armenia, Moldova, Russia, Tajikistan, Uzbekistan, and Turkmenistan). If so, the ransomware will not encrypt any files. It will then search for and kill the following process on infected NAS devices using service stop %s or systemctl stop %s commands;

Severity: Critical

AFFECTED PRODUCTS

Network Attached Storage (NAS) devices from vendors such as Synology, Lenovo Iomega (or LenovoEMC), and QNAP, are vulnerable to this ransomware attack.

• apache2• httpd• nginx• mysqld• mysqd• php-fpm It will also automatically skip files from directory paths that include the following strings when searching for files to encrypt on compromised NAS devices • /proc• /boot/• /sys/• /run/• /dev/• /etc/• /home/httpd• /mnt/ext/opt• .system/thumbnail• .system/opt• .config• .qpkg • It encrypts Microsoft Office documents and OpenOffice documents, PDFs, text files, archives, databases, photos, music, video, and image files using an AES in Cipher Feedback Mode (CFB) secret key created from an AES-256 key generated locally. This AES key is then encrypted with the downloaded or embedded public RSA key and stored in base64 format in the ransom note. • It demands a ransom amount of 0.05-0.06 BTC ($500 ~ $700 USD) or more to return the files.

READ

Threat Actors Utilizing eCh0raix Ransomware Change NAS Targeting

Capital One Financial Corporation suffered a massive data breach incident caused due to misconfigured ModSecurity Web Application Firewall (WAF)

IMPACTThis poses a serious risk of unauthorized access, data breach, financial loss, and can impact the reputation of the organization.

SECURITY ADVISORY

Date: August 5, 2019

INTRODUCTION

Capital One Financial Corporation (a company specialized in providing credit cards, auto loans, and banking services) headquartered in McLean, Virginia have suffered a massive data breach incident, where attacker had unauthorized access and downloaded nearly 30GB of credit card application data associated with Capital One Financial Corporation, between March 12, 2019, to July 17, 2019. Capital One Financial Corporation got to hear about the data theft from a tip sent via email on July 17, 2019, claiming some of their leaked data is stored and available on software development platform called Github. Credit card application data of Capital One Financial Corporation was hosted on rented Amazon AWS cloud instance, which includes information such as customer names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income. This data breach incident affected approximately 100 million applicants from the United States and 6 million applicants from Canada. Breached data also includes approximately 140,000 Social Security numbers and approximately 80,000 bank account numbers of applicants from the United States, and roughly 1 million Social Insurance Numbers (SINs) of applicants from Canada.

Severity: Critical

AFFECTED PRODUCTS

• Misconfigured ModSecurity WAF with elevated permissions is vulnerable.• Microsoft Windows-based Cloud Instances are vulnerable.

READ

• Capital One Data Theft Impacts 106M People ROOT CAUSE

This incident was caused due to a misconfiguration in ModSecurity Web Application Firewall (WAF) which was used alongside Apache HTTP server and was hosted on Amazon AWS cloud instance. The misconfiguration such as more elevated permissions assigned then required in ModSecurity WAF, allowed the attacker to exploit Server Side Request Forgery (SSRF) flaw within the WAF by relaying requests to a key back-end metadata resource on the AWS instance which had current credentials temporarily available, and was stored by security service to allow access to any resources on the Amazon AWS cloud instance from ModSecurity WAF. The investigation also reveals that the accused attacker was a former employee of Amazon AWS cloud service provider and was employed between May 2015 to September 2016. We strongly recommend our customers to take appropriate security measures to detect any misconfigured Security Device within their production line, by timely conducting configuration review for critical servers, network devices, and security devices.

Security Patch Advisory22nd July 2019 – 28th July 2019 | TRAC-ID: NII19.07.0.5

UBUNTU

Security Patch Advisory

SUSE

F5 NETWORKS